Staff & Editor

Technical Tip: FortiOS IKEv2 Dialup VPN User and Multi-factor authentication resources

Forum|Forum|6 months ago
December 18, 2025
0 replies
4499 views

Description

This article provides an overview of guides and resources for User and Multi-Factor authentication in FortiOS IKEv2 Dialup IPsec VPN.

Scope

FortiOS v7 and later.

Solution

Determine the User source and required MFA method(s) and refer to the table below.

Non-SSO authentication
User source	MFA method	Related Links
Active Directory	FortiToken assigned to FortiGate	Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS)
	FortiToken assigned to FortiAuthenticator	Technical Tip: Authenticating Active Directory users to FortiGate IKEv2 VPN with FortiToken MFA on FortiAuthenticator
	IKE gateway certificate authentication	IPsec IKEv2 VPN 2FA with EAP and certificate authentication Technical Tip: Certificate authentication for IKEv2 VPN with RADIUS or LDAP user authentication
Remote RADIUS	FortiToken assigned to FortiGate	Same as Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA
	FortiToken or other OTP factors assigned on FortiGate	Local Users Remote Users
	Third-party MFA (Duo, Okta, etc.)	See third-party documentation. Configured timeouts must be long enough for user to perform the third-party MFA, see Technical Tip: Explaining global 'set remoteauthtimeout', user radius 'set timeout', and how they work together
Local FortiGate Users	FortiToken	Add FortiToken multi-factor authentication
Local FortiGate Users	E-mail/SMS	Technical Tip: Email Two-Factor Authentication on FortiGate Technical Tip: Configuring SMS Two-Factor Authentication with 3rd party SMS provider
SSO (SAML) authentication
User source	MFA option	Related Links
Entra ID	FortiToken, E-mail/SMS	SAML IdP proxy for Azure
Entra ID	Third-Party MFA (e.g. Microsoft Authenticator)	Technical Tip: How to configure Microsoft Entra ID SAML authentication for Dial-up IPsec VPN Technical Tip: SSL VPN with Azure SAML authentication with multi-factor authentication (MFA) Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4 [Note: IPsec VPN and SSL VPN SSO configuration and options are similar.]
Google Workspace	FortiToken, E-mail/SMS	SAML IdP proxy for Google Workspace
Google Workspace	Third-party MFA	Technical Tip: Fortinet SSL VPN with G Suite MFA using SAML and SSO [Note: IPsec VPN and SSL VPN SSO configuration and options are similar.]
Any SSO	FortiIdentity Cloud	FortiIdentity Cloud \| Use Cases FortiIdentity Cloud \| Using SSO Applications
Any SSO	IKE gateway certificate authentication	Technical Tip: Certificate Authentication for FortiClient remote access dialup IPsec clients with SAML user authentication

User Sources:

Active Directory: Windows Active Directory, third-party LDAP, Azure AD, or Entra Connect.
Remote RADIUS: User credentials stored on FortiAuthenticator or authenticated against a third-party RADIUS server.
Local FortiGate Users: Users with credentials stored on FortiGate.
Entra ID: User credentials exist only in Entra and cannot be authenticated using Active Directory methods.
SSO: FortiGate IPsec as SAML SP to an external SAML IDP. External SAML IDPs include Entra ID, Google Workspace, and FortiIdentity Cloud as local or proxy IDPs.

If multiple user sources are required, it may be necessary to leverage network-id to configure multiple remote gateways. See the following articles:

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication.

Technical Tip: FortiClient support for multiple IKEv2 dialup tunnels at the same FortiGate Remote Gateway address

MFA Methods:

FortiToken: FortiIdentity Cloud, FortiToken Mobile, hardware FortiToken. One-time password (OTP) entry in FortiClient. On supported FortiOS versions, FortiIdentity Cloud and FortiToken Mobile also support push authentication using the FortiToken Mobile app.
E-mail/SMS: FortiGate or FortiAuthenticator delivers the OTP to the user's configured e-mail address or phone number using e-mail or SMS. User enters OTP on FortiClient, similar to FortiToken use cases.
IKE gateway certificate authentication: Authenticating to FortiOS dialup gateway using a client certificate rather than a pre-shared key. Considered a form of MFA if the client certificates are only installed on particular devices.
Third-Party: Any MFA method triggered on a non-Fortinet authentication product. Includes DUO, Entra MFA, Google Authenticator and other methods. FortiGate has no visibility on these MFA methods; from FortiGate's perspective, third-party MFA is simply unusually slow remote authentication.

Note:

IKEv2 Dialup IPsec VPN is the recommended alternative to FortiOS SSL VPN tunnel mode, and IKEv2 is recommended over IKEv1 for most new FortiOS remote access VPN deployments. See SSL VPN tunnel mode to IPsec VPN migration

Related articles:
Technical Tip: Required firmware/software versions for using FortiToken Mobile or OTP MFA with FortiGate IKEv2 Dialup IPsec

Technical Tip: FortiOS IKEv2 EAP user authentication operation

Technical Tip: IKEv2 dialup gateway with RADIUS user groups does not support other authentication servers
Technical Tip: Using the same TCP port for IPsec SAML authentication and IKE TCP encapsulation in FortiOS v7.6.1

Agentless Remote Access Resources:
SSL VPN to ZTNA Migration Guide

ZTNA Architecture | What is ZTNA Architecture?

SWG agentless mode

Description

Scope

Solution

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded